Password Best Practices and Standards


Protect Your Password

Your University Computing Account username and password are your key to accessing a wide range of resources at Pitt. For faculty and staff, these resources include sensitive information such as your Pitt Worx pay statements, benefits open enrollment, TIAA-CREF retirement account details, and UPMC health plan information. In addition, your University Computing Account has access to other data that is regulated by the Family Educational Rights and Privacy Act (FERPA) and Gramm-Leach-Bliley (GLB) ActYou should never share your password with anyone, for any reason. By protecting your password, you also protect the important resources and data to which your password grants you access.



Pitt Information Technology uses a robust array of sophisticated security tools to protect University information. However, everyone affiliated with Pitt shares in the critical responsibility of protecting the University’s computing environment. It is against University policy 10-02-05University policy 10-02-06, and security best practices to share your username and password with anyone. If you need to delegate responsibility for password-protected functions to another person, please call the Technology Help Desk at 412-624-HELP (4357) to request assistance. Most of our enterprise services support this type of delegation. 

Keep in mind these important password tips: 

  • Create a strong password that combines eight to 14 letters, numbers, and special characters – in general, the longer the better!
  • Be sure to log out when you have finished using the My Pitt website or other computing resources that require you to log in with your password. It is also recommended that you close all browser windows and completely exit your web browser program when you have finished using the service.
  • Change your password regularly. Students, faculty, and staff are required to change their University Computing Account password at least every 180 days.
  • Remember that no one from any reputable organization, including the University of Pittsburgh, will ever ask you to divulge your password over the phone or in an email. If you are asked for your password in an email or over the phone, this is usually a sure sign of a phishing scam.
  • Scan your computer regularly with Antivirus since some viruses and spyware programs can collect and transmit your account information. Learn more... 
  • If you have not already done so, set your Password Security Questions at the Accounts Self-Service page.

The following table illustrates the time it would take a hacker to brute-force crack your password for different types of characters as well as character count:

Time It Takes A Hacker To Brute Force Your Password

Number of Characters Numbers   Only   Lowercase  Letters   Upper and Lowercase Letters Numbers, Upper and Lowercase Letters Numbers, Upper and Lowercase Letters, Symbols
4 Instantly Instantly 3 secs 6 secs 9 secs
5 Instantly 4 secs 2 mins 6 mins 10 mins
6 Instantly 2 mins 2 hours 6 hours 12 hours
7 4 secs 50 mins 4 days 2 weeks 1 month
8 37 secs 22 hours 8 months 3 years 7 years
9 6 mins 3 weeks 33 years 161 years 479 years
10 1 hour 2 years 1k years 9k years 33k years
11 10 hours 44 years 89k years 618k years 2m years
12 4 days 1k years 4m years 38m years 164m years
13 1 month 29k years 241m years 2bn years 11bn years
14 1 year 766k years 12bn years 147bn years 805bn years
15 12 years 19m years 652bn years 9tn years 56tn years
16 119 years 517m years 33tn years 566tn years 3qd years
17 1k years 13bn years 1qd years 35qd years 276qd years
18 11k years 350bn years 91qd years 2qn years 19qn years
View the original image from which this table was created at Hive Systems.      Data sourced from


Additional Password Information

All University students, faculty, and staff are required to change their University Computing Account password twice per year via the Accounts Self-Service page.

This important requirement enhances security and helps protect your data. It is one part of a larger, layered security strategy. Multiple security measures protect against hackers, phishing scams, malicious software, and myriad other threats to the University's computing environment.

Here is how the process works. You will be required to change your University Computing Account password at least once every 180 days. As you approach the 180 day limit for your current password, you will see Password Update and Security Questions windows. They will appear each time you log in to My Pitt, indicating how many days you have remaining to change your password. This information must be updated as requested by following the instructions on each page, or you could potentially be unable to access select services until this information is complete. The password cannot be re-used within a year, and you cannot reuse any of your previous six passwords.

Related Information

Additional Instructions

Frequently Asked Questions
Setting Your Security Questions
Reset Your Password if You Forget It
Important Notes about Resetting Your Password
Resetting Passwords for Sponsored Accounts


Print Article


Article ID: 36
Thu 7/13/23 4:26 PM
Tue 7/16/24 10:17 AM

Related Services / Offerings (1)

SECURITY CONSULTING AND EDUCATION KnowBe4 provides security awareness resources to train, promote and reinforce information security best practices.